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CLAIMS : 

What is claimed is: 

1. A method of controlling access to computer system 
5 resources based on permissions, comprising: 

receiving a request for access to a computer system 
resource; 

determining if a superclass permission of a required 
permission is present in each protection domain of an 

10 access control context; 

adding the required permission to a permission 
collection if the superclass permission of the required 
permission is present in each protection domain of the 
access control context; and 

15 granting access to the resource if the superclass 

permission of the required permission is present in each 
protection domain of the access control context. 

2. The method of claim 1, wherein the request is 
20 received from bytecode. 

3. The method of claim 1, further comprising: 
determining the required permission based on a 

CodeSource associated with the request; and 
25 determining the superclass permission of the 

required permission based on the required permission, 

4. The method of claim 1, wherein determining if a 
superclass permission of a required permission is present 

30 in each protection domain includes determining if at 

least one permission collection in each protection domain 
includes the superclass permission. 
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5. The method of claim 1, wherein adding the required 
permission to a permission collection includes creating a 
new permission collection and adding the required 
permission to the new permission collection. 

6- The method of claim 5, wherein adding the required 
permission to a permission collection further includes 
adding any subclass permissions of the required 
permission to the new permission collection. 

7. The method of claim 1, further comprising retrieving 
the access control context for a thread of execution that 
sent the request for access to the computer system 
resource . 

8. The method of claim 1, wherein adding the required 
permission to a permission collection includes adding the 
permission to a permission collection associated with the 
superclass permission. 



9. The method of claim 1, wherein the steps of 
determining if a superclass permission of a required 
permission is present in each protection domain of an 
access control context, and adding the required 

25 permission to a permission collection if the superclass 
permission of the required permission is present in each 
protection domain of an access control context are 
performed by a method called by the required permission 
in response to an implies method operating on the 

30 required permission. 



10. The method of claim 3, wherein the steps of 
determining the required permission based on a CodeSource 
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associated with the request and determining the 
superclass permission of the required permission based on 
the required permission are performed based on a security 
policy file, 

5 

11. A computer program product in a computer readable 
medium for controlling access to computer system 
resources based on permissions, comprising: 

first instructions for receiving a request for 
10 access to a computer system resource; 

second instructions for determining if a superclass 
permission of a required permission is present in each 
protection domain of an access control contexts- 
third instructions for adding the required 
15 permission to a permission collection if the superclass 
permission of the required permission is present in each 
Z protection domain of the access control context; and 

fourth instructions for granting access to the 
computer system resource if the superclass permission of 
20 the required permission is present in each protection 
domain of the access control context. 

12. The computer program product of claim 11, wherein 
the request is received from bytecode. 

25 

13. The computer program product of claim 11, further 
comprising: 

fifth instructions for determining the required 
permission based on a CodeSource associated with the 
30 request; and 

sixth instructions for determining the superclass 
permission of the required permission based on the 
required permission. 
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14. The computer program product of claim 11, wherein 
the second instructions for determining if a superclass 
permission of a required permission is present in each 

5 protection domain include instructions for determining if 
at least one permission collection in each protection 
domain includes the superclass permission. 

15. The computer program product of claim 11, wherein 

10 the third instructions for adding the required permission 
to a permission collection include instructions for 
creating a new permission collection and instructions for 

Jjl adding the required permission to the new permission 

|3 collection- 

i 15 

=P 16. The computer program product of claim 15, wherein 

^S, the third instructions for adding the required permission 

^ to a permission collection further include instructions 

12, for adding any subclass permissions of the required 

13 20 permission to the new permission collection. 

I tsa: 

^■^ 17. The computer program product of claim 11, further 

comprising fifth instructions for retrieving the access 
control context for a thread of execution that sent the 
25 request for access to the computer system resource. 

18. The computer program product of claim 11, wherein 
the third instructions for adding the required permission 
to a permission collection include instructions for 
30 adding the permission to a permission collection 
associated with the superclass permission. 



19. The computer program product of claim 11, wherein 
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the second and third instructions are part of a method 
called by the required permission in response to an 
implies method operating on the required permission. 

5 20, The computer program product of claim 13, wherein 
the fifth and sixth instructions are executed based on a 
security policy file. 

21. An apparatus for controlling access to computer 
10 system resources based on permissions^ comprising: 
means for receiving a request for access to a 
J computer system resource; 

13 means for determining if a superclass permission of 

'"Is 

J5] a required permission is present in each protection 

fU 15 domain of an access control context; 

l5 means for adding the required permission to a 

W permission collection if the superclass permission of the 

5^ required permission is present in each protection domain 

of the access control context; and 
/I 20 means for granting access to the computer system 

resource if the superclass permission of the required 

permission is present in each protection domain of the 

access control context. 



25 22. The apparatus of claim 21, wherein the request is 
received from bytecode, 

23. The apparatus of claim 21, further comprising; 

means for determining the required permission based 
30 on a CodeSource associated with the request; and 

means for determining the superclass permission of 
the required permission based on the required permission. 
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24. The apparatus of claim 21, wherein the means for 
determining if a superclass permission of a required 
permission is present in each protection domain includes 
means for determining if at least one permission 

5 collection in each protection domain includes the 
superclass permission. 

25. The apparatus of claim 21, wherein the means for 
adding the required permission to a permission collection 
includes means for creating a new permission collection 
and means for adding the required permission to the new 
permission collection. 

26. The apparatus of claim 25, wherein the means for 
adding the required permission to a permission collection 
further includes adding any subclass permissions of the 
required permission to the new permission collection. 

27. The apparatus of claim 21, further comprising means 
for retrieving the access control context for a thread of 
execution that sent the request for access to the 
computer system resource. 

28. The apparatus of claim 21, wherein the means for 

25 adding the required permission to a permission collection 
includes means for adding the permission to a permission 
collection associated with the superclass permission. 

29. The apparatus of claim 21, wherein the means for 
30 determining if a superclass permission of a required 

permission is present in each protection domain of an 
access control context, and the means for adding the 
required permission to a permission collection if the 
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superclass permission of the required permission is 
present in each protection domain of an access control 
context operate based on a method called by the required 
permission in response to an implies method operating on 
the required permission. 

30. The apparatus of claim 23, wherein the means for 
determining the required permission based on a CodeSource 
associated with the request and means for determining the 
superclass permission of the required permission based on 
the required permission operate based on a security 
policy file. 



